From 2e058e5c60d5ac12622e476a64ddf4744c0e8806 Mon Sep 17 00:00:00 2001
From: zimk <zimk@users.noreply.git.llc>
Date: Sun, 19 Apr 2026 19:44:35 +0800
Subject: [PATCH] Update verification TTL and init data checks

---
 .env.example |  5 -----
 src/index.ts | 22 +++++++++++++++++++++-
 2 files changed, 21 insertions(+), 6 deletions(-)
 delete mode 100644 .env.example

diff --git a/.env.example b/.env.example
deleted file mode 100644
index f9e88fd..0000000
--- a/.env.example
+++ /dev/null
@@ -1,5 +0,0 @@
-BOT_TOKEN=
-TG_WEBHOOK_SECRET=
-AI_BASE_URL=
-AI_API_KEY=
-TURNSTILE_SECRET=
\ No newline at end of file
diff --git a/src/index.ts b/src/index.ts
index d2d27e1..93eb000 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -77,7 +77,8 @@ interface RequestContext {
 const JOIN_PREFIX = "join:";
 const ACTIVE_PREFIX = "active:";
 const CHALLENGE_TTL_MS = 10 * 60 * 1000;
-const RECORD_TTL_SECONDS = 24 * 60 * 60;
+const RECORD_TTL_SECONDS = 30 * 60;
+const INIT_DATA_MAX_AGE_SECONDS = 10 * 60;
 type Locale = "zh" | "en";
 
 export default {
@@ -362,6 +363,25 @@ async function verifyTelegramWebAppInitData(env: Env, initData: string, expected
     throw new HttpError(401, "invalid_init_data_hash");
   }
 
+  const authDateRaw = params.get("auth_date");
+  if (!authDateRaw) {
+    throw new HttpError(401, "missing_init_data_auth_date");
+  }
+
+  const authDate = Number(authDateRaw);
+  if (!Number.isFinite(authDate)) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  if (authDate > nowSeconds + 30) {
+    throw new HttpError(401, "invalid_init_data_auth_date");
+  }
+
+  if (nowSeconds - authDate > INIT_DATA_MAX_AGE_SECONDS) {
+    throw new HttpError(401, "expired_init_data");
+  }
+
   const userRaw = params.get("user");
   if (!userRaw) {
     throw new HttpError(401, "missing_init_data_user");